[stunnel-users] older browsers, stunnel and privoxy

Tue Dec 4 19:27:15 CET 2018

well yes, im pretty sure the same encryption is needed in requests and
the returned page, otherwise it would probably get a no cypher overlap
error.

so i basically need stunnel to encrypt outgoing requests, and decrypt
the returned things and only on the browser side of connection.

there's a good reason why they are deprecated, but it would be better
to add this functionality this way if possible, rather than change
whole programs, especially when its the purpose of stunnel, according
to the description

On 12/4/18, Flo Rance <trourance at gmail.com> wrote:
> This is not what I've understood from your first description. You would
> like to bridge TLSv1 to TLSv1.1 or TLSv1.2 before sending requests to a web
> proxy.
>
> This is why I don't think stunnel is intended for that.
>
> That said, if SSLV3 and TLSv1 have been deprecated, there's a good reason
> and you should seriously think to update your tools.
>
> Regards,
> Flo
>
> On Tue, Dec 4, 2018 at 3:18 PM kovacs janos <kovacsjanosfasz at gmail.com>
> wrote:
>
>> well, it says this on the first line of the website:
>> "Stunnel is a proxy designed to add TLS encryption functionality to
>> existing clients and servers without any changes in the programs'
>> code."
>>
>> i just want to add TLS functionality to client browsers which dont
>> have it. i only need stunnel to decrypt TLS traffic going back to the
>> browser.
>>
>> On 12/4/18, Flo Rance <trourance at gmail.com> wrote:
>> > Sorry I didn't read it correctly. I don't think this is something
>> > stunnel
>> > can handle.
>> >
>> > Regards,
>> > Flo
>> >
>> > On Mon, Dec 3, 2018 at 9:31 PM kovacs janos <kovacsjanosfasz at gmail.com>
>> > wrote:
>> >
>> >> thank you for  the reply,
>> >> its the address and port where privoxy listens for requests.
>> >> from the config file:
>> >> "#  4.1. listen-address
>> >> #  ====================
>> >> #
>> >> #  Specifies:
>> >> #
>> >> #      The IP address and TCP port on which Privoxy will listen for
>> >> #      client requests."
>> >> and under it:
>> >>
>> >> listen-address  127.0.0.1:8118
>> >>
>> >> On 12/3/18, Flo Rance <trourance at gmail.com> wrote:
>> >> > Hi,
>> >> >
>> >> > It's not clear in your description what is running on 8118 local
>> >> > port.
>> >> >
>> >> > Regards,
>> >> > Flo
>> >> >
>> >> > On Mon, Dec 3, 2018 at 2:40 PM kovacs janos <
>> kovacsjanosfasz at gmail.com>
>> >> > wrote:
>> >> >
>> >> >> sorry to bother,
>> >> >> im trying to make older browsers be able to display TLS 1.1 and TLS
>> >> >> 1.2
>> >> >> sites.
>> >> >> i heard stunnel cant be configured to always forward to the current
>> >> >> site address dynamically, thats why i would use privoxy.
>> >> >> the browser is configured to send to:
>> >> >> 127.0.0.1  443
>> >> >>
>> >> >> stunnel config has this at the end:
>> >> >> [Tunnel_in]
>> >> >> client = yes
>> >> >> accept = 127.0.0.1:443
>> >> >> connect = 127.0.0.1:8118
>> >> >> verifyChain = yes
>> >> >> CAfile = ca-certs.pem
>> >> >> checkHost = localhost
>> >> >>
>> >> >> 127.0.0.1:8118 is the privoxy address.
>> >> >> this is what stunnel writes:
>> >> >> LOG5[main]: Configuration successful
>> >> >> LOG5[0]: Service [Tunnel_in] accepted connection from
>> >> >> 127.0.0.1:3261
>> >> >> LOG5[0]: s_connect: connected 127.0.0.1:8118
>> >> >> LOG5[0]: Service [Tunnel_in] connected remote server from
>> >> 127.0.0.1:3262
>> >> >>
>> >> >> and the browser infinitely loads, and never loads anything or
>> >> >> leaves
>> >> >> the
>> >> >> page.
>> >> >> if i remove the last 3 lines, its the same just with this line
>> >> >> added:
>> >> >> LOG4[main]: Service [Tunnel_in] needs authentication to prevent
>> >> >> MITM
>> >> >> attacks
>> >> >>
>> >> >> but it doesnt give an error or anything.
>> >> >>
>> >> >> with a configuration like:
>> >> >> [Tunnel_out]
>> >> >> client = no
>> >> >> accept = 127.0.0.1:443
>> >> >> connect = 127.0.0.1:8118
>> >> >> cert = stunnel.pem
>> >> >>
>> >> >> this is what it gives:
>> >> >> LOG5[3]: Service [Tunnel_out] accepted connection from
>> 127.0.0.1:3294
>> >> >> LOG3[3]: SSL_accept: 1407609B: error:1407609B:SSL
>> >> >> routines:SSL23_GET_CLIENT_HELLO:https proxy request
>> >> >> LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to
>> >> >> socket
>> >> >>
>> >> >> and browser gives a server not found error immediately. im not even
>> >> >> sure if i should use client or server configuration in a case like
>> >> >> this, but none of them works anyway. all i would need is for my
>> >> >> browser to get the pages decrypted, or at least in less than
>> >> >> TLS1.1.
>> >> >> like how on newipnow.com i can access sites with any encryption,
>> since
>> >> >> they are sent to the browser without encryption. the browser just
>> >> >> gives an "unencrypted tunnel" warning, which is how i found
>> >> >> stunnel,
>> >> >> and which is exactly what i need, just locally.
>> >> >> _______________________________________________
>> >> >> stunnel-users mailing list
>> >> >> stunnel-users at stunnel.org
>> >> >> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>> >> >>
>> >> >
>> >>
>> >
>>
>